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Abstract: The financial and banking system in Vietnam is currently confronted with a myriad of cybersecurity risks, 
a matter of paramount concern for the government, businesses, and individuals alike. These risks threaten the financial 
system's security, reliability, and integrity, potentially resulting in significant economic losses. This research endeavors 
to identify the prevailing cybersecurity risks in Vietnam's financial and banking system, assess their impact, and 
elucidate the interrelationships among these risks. Employing the Multi-Criteria Decision Making (MCDM) approach, 
the study integrates the DELPHI technique, Decision-Making Trial and Evaluation Laboratory (DEMATEL), and 
Combined Compromise Solution (COCOSO) methods, complemented by Neutrosophic Sets (NS) and Z-number 
concepts to enhance the accuracy and reliability of the findings. The research findings reveal the existence of 15 
cybersecurity risks in Vietnam's financial and banking system, with Malware Infections and Supply Chain 
Vulnerabilities emerging as the most consequential risks. Moreover, the study identifies investing in advanced threat 
detection systems as the optimal strategy for mitigating cybersecurity risks in Vietnam. The results underscore the 
importance of addressing these critical risks to safeguard the financial infrastructure, focusing on deploying robust 
cybersecurity measures to enhance overall system resilience. 


Index terms: Multi-Criteria Decision Making (MCDM), Neutrosophic Z-number (NZN), Neutrosophic Sets, Z- 
number, Financial and banking system, Cybersecurity, Risks 


1. Introduction 


Cybersecurity in the finance and banking sector, particularly in Vietnam, is paramount as we transition to a digital 
economy [1]. The financial industry is a prime target for cybercriminals due to its high volume of valuable financial 
data and assets, resulting in escalating cybersecurity risks. In Vietnam, the digital transformation of the banking system 
is rapidly underway, with most banks implementing or developing their digital strategies in response to pervasive 
technological advancements [2]. Despite the recognized importance of cybersecurity, Vietnam's finance and banking 
sector faces several challenges in effectively addressing cyber risks. These challenges include the constantly evolving 
nature of cyber threats, the complexity of financial systems and technologies, the shortage of skilled cybersecurity 
professionals, and the lack of a comprehensive risk management framework [3]. Moreover, the globalization of 
financial services and the interconnectedness of institutions have expanded the potential attack surface, complicating 
the identification and mitigation of cyber risks. Moreover, cybersecurity enables banks to prevent and respond to hacks, 
unauthorized access, data breaches, and other online threats [4]. 


Cybersecurity is critical to the financial industry’s success, protecting sensitive customer data, ensuring the integrity 
of financial transactions, and confirming compliance with regulatory requirements [5]. Robust cybersecurity strategies 
also help banks secure funds and prevent financial losses. Additionally, cybersecurity allows banks to prevent and 
react to hacks, unauthorized access, data breaches, and other online threats. Cybersecurity risks encompass threats to 
the confidentiality, integrity, and availability of information and systems, posing potential adverse impacts on 
organizational operations, assets, and national security [6,7]. Financial institutions' escalating digitization and 
interconnectivity heighten vulnerability to evolving threats, jeopardizing sensitive data, operations, and stakeholder 
trust. Beyond financial losses, cybersecurity breaches entail reputational damage, loss of customer trust, and regulatory 
repercussions [8]. 


Vietnam's emergence as a regional financial hub intensifies the urgency of addressing these risks, underscoring the 
imperative to comprehend, mitigate, and manage cybersecurity threats to safeguard the stability and integrity of the 
financial and banking system in today's digitally interconnected landscape [9]. Given the complexities and 
uncertainties associated with cybersecurity risks, traditional risk assessment methods may fall short of providing a 
holistic and practical approach to decision-making [10,11]. There is a pressing need for a comprehensive strategic 
decision-making framework that integrates expert opinions, considers the interrelationships between various risk 
factors and mitigation strategies, and accounts for the inherent uncertainty and vagueness in cybersecurity assessments 
[12]. Therefore, this study aims to formulate comprehensive strategic decision-making models tailored to the dynamic 
and challenging business environment characterized by Turbulence, Uncertainty, Novelty, and Ambiguity (TUNA) 
using the MCDM methods. The research objectives are as follows: 


(i) Identify and assess the critical cybersecurity risks in Vietnam's finance and banking system. 

(ii) Analyze the potential impact and the interconnectedness of crucial cybersecurity risks in Vietnam's 
finance and banking system. 

(ii1) Prioritize strategies for mitigating these risks using strategic decision-making models, incorporating 


uncertainty and vagueness using neutrosophic sets and Z numbers. 


While cybersecurity risk analysis is addressed in academic literature, few studies approach it as a multi-criteria 
decision-making problem [13]. Moreover, empirical examinations of cybersecurity risks and mitigation strategies in 
Vietnam's finance and banking sector using MCDM models are lacking. Hence, this research aims to bridge this gap 
by addressing vital questions: 


(i) What are key cybersecurity risks in Vietnam's finance and banking system? 
(ii) How do these key cybersecurity risks correlate in Vietnam's finance and banking system? 
(ii1) How can the proposed model be validated for prioritizing strategies for mitigating the identified 


cybersecurity risks? 


In this study, Neutrosophic sets (NS) are a significant advancement in fuzzy set theory [14,15]. Smarandache [16] 
proposed that they present uncertain, incomplete, imprecise, and indeterminate information in real-world problems. 
NS is a generalization of the fuzzy set. It combines the concepts of fuzzy sets, and neutrosophic sets, where fuzzy sets 
are used to tackle uncertainty using the membership grade, and neutrosophic sets are used to tackle uncertainty using 
the truth, indeterminacy, and falsity membership grades, which are considered independent [17]. This study gains 
access to more comprehensive and accurate information about experts' responses by leveraging neutrosophic sets. 
Consequently, the calculation results are expected to more faithfully reflect reality, enhancing the overall quality and 
reliability of the research findings. In addition to the general form of NS, the Single-Valued Neutrosophic Set (SVNS) 
is proposed as a specific instance that is particularly useful for real-world scientific and engineering applications [18— 
21]. This assumption is beneficial in various scenarios, such as information fusion, where data from different sensors 
must be integrated. SVNS, being a subset of NS, utilizes single-valued memberships, thereby inheriting the 
mathematical properties of NS [18—20]. In this study, we employ the concept of NS to establish a general concept and 
build upon previous research that combines neutrosophic fuzzy sets with Z-numbers. In decision-making, assessments 
often occur amidst incomplete information and uncertainty [22]. Compared to other versions of fuzzy sets such as 
Fuzzy Sets [23], Hexagon fuzzy numbers [24,25], Type-2 fuzzy sets [26], Intuitionistic fuzzy sets (IFSs) [27], Hesitant 
fuzzy sets (HFSs) [28], Pythagorean fuzzy sets (PyFSs) [29], Picture fuzzy sets (PFSs) [30], Spherical fuzzy sets 
(SFSs) [31,32], T- Spherical fuzzy sets (T-SFSs) [33], NS have unique characteristics as below. 


Unlike ordinary fuzzy sets [23], which consider only the degree of membership, NS encompasses an object’s degree 
of truth, indeterminacy, and falsity. This comprehensive representation enables a more accurate modeling of real- 
world situations. For instance, in medical diagnosis, patient symptoms may not definitively indicate a specific disease 
(truth) nor entirely rule it out (falsity) while also exhibiting some ambiguity (indeterminacy). NS can capture this 
complexity more effectively than fuzzy sets. Additionally, while Type-2 fuzzy sets were developed to address 
uncertainties, they lack the capability to handle indeterminacy. By incorporating an indeterminacy membership 
function, NS can effectively manage such situations. For example, in weather forecasting, predictions may be 
uncertain (Type-2 fuzzy set), but indeterminacy arising from climate change can be modeled using NS. Assuming 
a(x), B(x), and y(x) represent memberships for truth, indeterminacy, and falsity, respectively, with x — [0,1], we 
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have 0 < a(x) + B(x) + v(x) S 3. Unlike other fuzzy types, the sum of the three memberships in the NS can reach 
a maximum value of 3, where the maximum sum is typically limited to 1. This characteristic allows for a broader 
observation range, enhancing accuracy, which distinguishes NS from other fuzzy types. 


IFSs, introduced by Atanassov [27] in 1986, consider an object’s degree of membership and non-membership. 
Although IFSs have notable advantages, they still face limitations when the sum of membership degree (MD) and 
non-membership degree (NMD) exceeds | [34,35]. For instance, assume w(x) represents MD and 0(x) represents 
NMD of an IFSs number; the constraint is typically defined as 0 < w(x) + 0(x) < 1. However, when w(x) = 0.6 
and 0(x) = 0.7, the sum of MD and NMD equals 1.3, surpassing the limit of | set by IFSs. In this case, NS, with a 
maximum number of memberships equal to three, offers a solution to this issue. Furthermore, IFSs do not account for 
the degree of indeterminacy. NS, conversely, considers an object’s degree of truth, indeterminacy, and falsity, thus 
providing a more comprehensive representation. For example, in predicting stock market trends, the prediction might 
be partially true (bullish trend), partially false (bearish trend), and partially indeterminate (market volatility). 
Neutrosophic sets can model this situation more accurately than IFSs. 


HFSs, introduced by Torra [28] in 2010, allow decision-makers to assign multiple possible membership degrees to an 
element, offering flexibility but lacking in handling indeterminacy. NS, with its indeterminacy membership function, 
addresses this limitation. For instance, in group decision-making, differing expert opinions and consensus ambiguity 
can be captured using Neutrosophic sets. Additionally, while the maximum membership value of HFSs does not 
exceed 1, the total membership of NS can reach up to 3, underscoring the superiority of NS over HFSs. 


PyFSs, introduced by Yager [29] in 2013, extend the concept of IFSs by allowing the sum of the membership and non- 
membership degrees to be greater than 1 in many cases. In some instances, even with PyFSs, the sum of the squared 
MD and NMD values may still exceed 1, violating the condition. Assuming w represents MD and @ represents NUD 
of a PyFSs, the constraint is typically defined as 0 < w(x)? + 9(x)? <1. With w(x) = 0.7 and J(x) = 0.8, 
w(x)? + 9(x)? results in 1.13, contravening the PyFSs condition. Therefore, NS, which allows for a maximum total 
membership of 3, offers an advantageous solution in such scenarios. Similar to IFSs, PyFSs also still do not account 
for the degree of indeterminacy. NS can accommodate truth, indeterminacy, and falsity and offer a more precise 
modeling approach than IFSs, HFSs, and PyFSs. 


PFSs, proposed by Cuong and Kreinovich [30] in 2014, introduce a new membership degree called “hesitation” to 
handle uncertainty. While this provides a certain level of flexibility, it cannot still comprehensively handle 
indeterminacy. For instance, in a weather prediction scenario, the forecast might be partially sunny (membership), 
partially not sunny (non-membership), and partially uncertain due to unpredictable factors (indeterminacy). With their 
indeterminacy membership function, Neutrosophic sets can handle this better than PFS. Furthermore, similar to IFS, 
PyFS, or HFS, the constraint that the total membership of PFS does not exceed one may be violated in certain cases 
[36]. For instance, considering u(x) as the membership grades, v(x) as the neutrality level, and A(x) as the non- 
membership level of a number in PFS, the condition is 0 < u(x) + v(x) + A(x) < 1. With u(x) = 0.5, v(x) = 0.4, 
and A(x) = 0.3, the sum w(x) + v(x) + A(x) equal to 1.2, which contravenes the condition. In contrast, NS allows 
for a total of three memberships, equating to 1.2, demonstrating the advantages of NS over PFS. 


To address situations where the sum of three PFSs memberships exceeds one, SFSs, introduced by Giindogdu and 
Kahraman [32] in 2019, have been proposed with the primary concept being the square of three PFS memberships 
[22,37-39]. Assuming u(x) represents the membership degree, v(x) the membership degree, and A(x) the 
membership degree of a number in PFSs, the condition is 0 < u(x)? + v(x)? + A(x)* < 1. Squaring can resolve 
many instances where the sum of three memberships exceeds 1; for instance, the previous case where u(x)? + 
v(x)? + A(x)? = 0.5, no longer violates the assumption. However, if we consider u(x) = 0.8, v(x) = 0.7, and 
A(x) = 0.6, the value of u(x)? + v(x)? + A(x)” equals 1.49, thus contravening the assumption of SFSs. Nevertheless, 
NS accommodates cases where the number of memberships exceeds one, underscoring its advantages over PFSs and 
SFSs. 


Considering membership's observational meaning, NS also offers unique advantages over SFSs and T-Spherical Fuzzy 
Sets (T-SFSs). SFSs and T-SFSs, proposed by Ullah et al. [33] in 2020, are extensions of fuzzy sets that incorporate 
the concept of direction in decision-making. However, neither SFS nor T-SFS explicitly account for the degree of 


3 


indeterminacy. For example, in a decision-making scenario involving investment options, an investor might be 
partially inclined towards an option (membership), partially disinclined (non-membership), and partially uncertain 
due to market volatility (indeterminacy). While SFSs and T-SFSs can capture the investor’s inclination towards or 
away from an option, they do not adequately handle the uncertainty aspect. With their ability to handle truth, 
indeterminacy, and falsity, NS can model this situation more accurately. Moreover, NS provides a more flexible and 
comprehensive tool for dealing with such uncertainties in complex decision-making scenarios where the data is 
incomplete, inconsistent, or uncertain. Thus, despite the advancements brought by SFSs and T-SFSs, NS still holds a 
significant edge when it comes to handling uncertainty, imprecision, and indeterminacy in real-world situations. 


In decision-making, uncertainties are ubiquitous, and decisions often arise in contexts where information is incomplete 
[40-42]. Hence, acknowledging the inherent uncertainty in decision-making processes is crucial [43]. Z-numbers, 
pioneered by Zadeh [44], emerged as indispensable tools in response to this need. Specifically designed for 
computations in uncertain and incompletely reliable environments, Z-numbers offers a structured approach to handling 
uncertainty and incomplete information. Z-numbers comprise two integral components: the Z-number and fuzzy 
information, encapsulating the assessment score and the associated reliability level [44]. Thus, Z-numbers offer a 
significant complement to NS. While NS excels in handling uncertainty, imprecision, and indeterminacy, they lack 
explicit consideration of the reliability of the information source. This is where Z-numbers play a crucial role. As an 
extension of fuzzy numbers, Z-numbers incorporate a measure of reliability [45]. For instance, imagine two financial 
analysts offering company growth forecasts. While NS can represent the analysts’ forecasts in terms of truth, 
indeterminacy, and falsity, they overlook the analysts' reliability. Conversely, Z-numbers can model both the forecast 
(the "restriction") and the reliability of the analyst (the "reliability"). This enables a more thorough analysis, as 
decision-makers can now weigh both the forecast and the source's reliability. Consequently, Z-numbers complement 
Neutrosophic sets, enhancing decision-making in scenarios where the source's reliability is critical. 


The motivation and novelty of this research stem from the proposal and application of NS combined with the Z- 
number concept in MCDM methods to assess cybersecurity risks and prioritize top strategies in Vietnam's finance and 
banking system. Integrating Z-numbers and NS (NZN) is essential to fully leveraging their strengths. This integration 
establishes a robust system capable of handling uncertainty, imprecision, and indeterminacy while considering the 
reliability of the information source. Such an approach enhances the accuracy and reliability of decision-making 
processes across various domains, from finance to engineering. Initially gathered in linguistic form, expert responses 
are converted to NZN for computation using the MCDM method. This combination allows for a comprehensive and 
nuanced analysis of uncertain and incomplete information, improving the quality and reliability of decision-making. 


This study proposes a three-stage MCDM method of DELPHI, DEMATEL, and COCOSO in conjunction with NZN. 
The DELPHI method validates the importance and relevance of identified potential risks. Subsequently, risks validated 
through the NZN DELPHI phase undergo weighting for influence and analysis of cause-and-effect relationships using 
the NZN DEMATEL method. Finally, proposed strategies are ranked for effectiveness and utility through the NZN 
COCOSO method. Additionally, a comparative analysis is conducted using results obtained from the NZN Technique 
for Order Performance By Similarity To Ideal Solution (TOPSIS) and NZN Multiplicative Form Of Multiple 
Objectives (MULTIMOORA) methods. Notably, including a variable validation step using NZN DELPHI enhances 
the thoroughness of risk filtering and validation, thereby elevating the overall quality of the research compared to prior 
studies. 


As a result, this study makes several significant contributions to cybersecurity risk management within Vietnam's 
finance and banking sectors. Firstly, it proposes and develops comprehensive strategic decision-making models 
tailored to the dynamic and challenging business environment characterized by TUNA. By integrating methods with 
NZN, the study offers novel approaches for assessing, prioritizing, and mitigating cybersecurity risks. Secondly, 
through empirical analysis and expert consultations, the study identifies and assesses vital cybersecurity risks specific 
to Vietnam's finance and banking system, contributing to a deeper understanding of the threat landscape and enabling 
stakeholders to address vulnerabilities proactively. In terms of theoretical and mathematical advancements, this study 
distinguishes itself from previous research utilizing the same methodology by introducing a novel approach for 
calculating expert weights based on their experience and education level. It also proposes a pooling formula 
incorporating these expert weights, as detailed in Section 3. By considering expert weights, the study enhances the 


accuracy and reliability of the results, acknowledging that experts possess varying qualifications and experience. This 
methodological enhancement ensures that the assessments reflect a more nuanced and credible aggregation of expert 
opinions, thereby contributing significantly to the robustness of the study's findings. Thirdly, by employing the 
DEMATEL method, causal relationships between risks are elucidated, providing insights into their influence and 
interrelationships, thus aiding in the analysis of interconnectedness and potential impact of identified cybersecurity 
risks within the finance and banking system. 


Furthermore, the study introduces a model and associated calculation formulas for the NZN DELPHI method, thereby 
validating the variables based on expert opinions. This methodological contribution enhances the rigor of the 
validation process and ensures that the variables are assessed with greater precision and reliability. By leveraging 
expert insights through the NZN DELPHI method, the study provides a robust framework for evaluating complex 
issues, thereby significantly advancing the field's understanding and application of expert-driven validation techniques. 
Additionally, using the COCOSO algorithm, the study prioritizes mitigation strategies for addressing identified 
cybersecurity risks, incorporating uncertainty and vagueness through neutrosophic sets and Z numbers, thereby 
offering robust and reliable decision-making frameworks for stakeholders to implement effective risk mitigation 
measures. Finally, through empirical analysis and comparative assessments, the study validates the proposed models 
for prioritizing mitigation strategies, enhancing confidence in their utility and reliability. Overall, these contributions 
are expected to have significant implications for industry stakeholders, policymakers, and researchers, facilitating 
proactive risk mitigation efforts and strengthening the resilience of financial systems in the face of evolving cyber 
threats. 


The remainder of this research consists of four sections. Section 2 will review previous studies and present the research 
model. Section 3 will elucidate the concepts and calculation formulas associated with each method. Section 4 presents 
the case study and analyzes the results. Finally, section 5 will summarize and conclude the research findings. 


2. Literature Review 
2.1 Literature Review on Established Method 


Recent years have witnessed a surge in research efforts to leverage advanced mathematical models to address complex 
decision-making problems. In particular, NZN has emerged as a promising approach to tackling uncertainties in 
various real-world scenarios. Table 1 provides an overview of related works that have applied NS and Z fuzzy numbers 
in decision-making processes. 


Table 1. Related Work applied NS and Z Number 


Characteristics 


No Authors Methods . ; oe ; ; : ues 
Uncertainty Expert weight Criteria weight Relations Ranking Reliability 


Type-2 Neutrosophic Fuzzy-Weighted Zero- 


1 fy pad ohatakieea! Inconsistency and Type-2 Neutrosophic Fuzzy X X X 
Decision by Opinion Score Method 

2 Lu et al. [47] Simplified neutrosophic TOPSIS X x 
Aczel—Alsina Weighted Aggregation Operators of 

7 Yecnal. [46] Neutrosophic Z-Numbers x x x 

4 Diznarda et al. [14] Neutrosophic AHP and DEMATEL X X X 

5 Shao et al. [49] Z-DEMATEL and Z-TOPSIS x x x x x 

6 Eldrandaly et al. [50] Neutrosophic AHP and DEMATEL X Xx Xx 

7 Yong et al. [51] Trapezoidal neutrosophic Z-numbers X x x 
NZN weighted arithmetic averaging and NZN 

= Recede2 weighted geometric averaging operators x x x 

9 a ae Neutrosophic TOPSIS X X 

10 on and Smaramdache +a atsosqphis CRITIC and COCOSO x x x 

u Haktanir and Kahraman Zfiaey athens % is 

[55] 

12 = Nabeeh et al. [56] Neutrosophic AHP X X 

13. Ye [57] Neutrosophic number linear programming X 

14 = Zavadskas et al. [58] Neutrosophic MULTIMOORA Xx Xx 

: Fully completed NZN DELPHI-DEMATEL- 
This Study COCOSO x x Xx x Xx x 


In the literature review, Zavadskas et al. [58] proposed Neutrosophic MULTIMOORA to select construction materials 
and elements for single-family house construction, offering a holistic approach that fills a significant gap in residential 
construction. Conversely, Ye [57] employed Neutrosophic Number Linear Programming (NNLP) to optimize resource 
allocation in complex systems, showcasing its potential to enhance decision-making processes through practical 
applications in production planning. Additionally, Nabeeh et al.[56] introduced a Neutrosophic AHP approach for IoT 
enterprises, illustrated through case studies in various locations. Peng et al.[54] prioritized dimensions of rare earth 
industry security using CRITIC and Neutrosophic Soft Decision Making, addressing complex security challenges. 
Yortikoglu et al. [53] utilized Neutrosophic TOPSIS in intelligent container evaluation, emphasizing its role in 
Industry 4.0 Supply Chain Management Systems. 


Furthermore, Diznarda et al. [14] and Eldrandaly et al. [50] applied Neutrosophic AHP and DEMATEL methodologies 
to analyze decision-making scenarios in tourism and construction project management, respectively. Lu et al. [47] 
introduced Simplified Neutrosophic TOPSIS for evaluating teaching quality in Chinese colleges, highlighting its 
importance in enhancing teaching abilities. Lastly, Mohamad Sharaf et al. [46] addressed challenges in evaluating 5G- 
RANs architecture with Type-2 Neutrosophic Fuzzy-Weighted Zero-Inconsistency and Type-2 Neutrosophic Fuzzy 
Decision methods. Despite these advancements, none have comprehensively addressed the issue of data reliability and 
certainty derived from expert responses, nor have they adequately considered the weighting of experts based on their 
qualifications and experience. This highlights a potential area for further research and exploration in the field. 


Integrating Z-Number concepts with neutrosophic fuzzy sets to form NZN presents a promising solution to bridge 
existing gaps in research methods. For instance, Du et al.[52] introduced NZN, which combines truth, falsity, and 
indeterminacy degrees with reliability degrees, offering a comprehensive framework for decision-making. They 
further developed NZN-weighted arithmetic (NZNWAA) and NZN-weighted geometric averaging (NZNWGA) 
operators to aggregate NZN information, enhancing decision-making processes. In a similar vein, Yong et al.[51] 
proposed trapezoidal neutrosophic Z-numbers (TrNZNs) to overcome limitations in existing trapezoidal neutrosophic 
numbers (TrNNs) and NZNs, introducing TrNZN weighted arithmetic averaging (ITNZNWAA) and TrNZN weighted 
geometric averaging (TIrNZNWGA) operators for improved MCDM methods. Additionally, Haktanir et al.[55] 
demonstrated the applicability of Z-fuzzy hypothesis testing in both left and right-sided scenarios, along with 
sensitivity analyses, highlighting the effectiveness of their approach in handling uncertain and imprecise data within 
hypothesis testing contexts. Through these advancements, integrating Z-number concepts with neutrosophic fuzzy sets 
offers a robust framework for addressing uncertainties and enhancing decision-making processes in various domains. 


The fusion of neutrosophic fuzzy sets and Z numbers has recently represented a recent advancement, offering a more 
nuanced and comprehensive approach to decision-making and sustainability assessment—the research conducted by 
Ye et al.[48,59] significantly contribute to the field by introducing specialized operations and weighted aggregation 
methods designed for NZN. Their study enhances the adaptability of decision-making processes by allowing for 
parameter adjustments that align with decision-makers' preferences. Specifically, they introduce Aczel-Alsina 
operations tailored for NZNs, including Aczel—Alsina t-norm and t-conorm operations, as well as NZN Aczel—Alsina 
weighted arithmetic averaging (NZNAAWAA) and NZN Aczel—Alsina weighted geometric averaging (NZNAAWGA) 
operators for effectively aggregating NZNs. In a parallel effort, Shao et al.[60] present a holistic framework for 
evaluating smart cities' sustainable development (SD) level. Their approach involves utilizing the Z-DEMATEL 
technique to identify mutual influence relationships and derive influence weights. Additionally, they employ the Z- 
TOPSIS-AL approach to assess sustainable development performance comprehensively. These contributions 
underscore the potential of integrating neutrosophic fuzzy sets and Z numbers to enhance decision-making processes 
and sustainability assessments in complex systems. 


2.2 Literature Review on Risk Factor And Solution Strategy 


Many prior studies have extensively examined cybersecurity risks within the financial and banking sector. Shulha et 
al. [8] utilized the fuzzy cognitive map method to identify and analyze 13 cybersecurity risks impacting banking 
information resources. Meanwhile, Ahmed et al. [10] employed the Graph Theory and Matrix Approach (GTMA) to 
assess cybersecurity challenges in the context of Industry 5.0 and determine their relative importance. Additionally, 
Sarefo et al. [61] conducted a cybersecurity risk study within the national framework of Botswana. These studies have 


employed diverse methodologies to pinpoint and analyze cybersecurity risks affecting banking systems and businesses, 
often within specific national contexts. 


To commence this analysis, a comprehensive search was conducted across prominent library databases, including 
Science Direct, Scopus, and Web of Science. Various keywords and search strings such as "cybersecurity risk," 
"Vietnam's finance and banking system," "finance system cybersecurity risk," and "banking system cybersecurity risk" 
were employed to retrieve relevant scholarly papers. As a result of this search, the study identified 17 potential 
cybersecurity risks impacting Vietnam's finance and banking system. These 17 factors are presented in Table 2. 


Table 2: List of cybersecurity risks potentially affecting Vietnam's finance and banking system 


Risks References 

THI Cloud Security Risks [10] 
TH2 Advanced Persistent Threats (APTs) [13,61] 
TH3 Mobile Device and Web Application Security Risks [8] 
TH4 Supply Chain Vulnerabilities [10] 
THS Denial-of-Service (DoS) Attacks [8,13] 
TH6 Ransomware Attacks [13,61] 
TH7 Data Breaches [8,13] 
TH8 Phishing Attacks [8,61] 
TH9 Insider Threats [13] 
TH10 Biometric Data Vulnerabilities [62] 
THI Weak Authentication Systems [13] 
TH12 Man-in-the-Middle Attacks [8] 
THI3 Regulatory Compliance Risks [13] 
THI14 Malware Infections [8,13,61] 
THIS Emerging Technologies Risks [10] 
THI16 Internet of Things (IoT) Vulnerabilities [10,13] 
THI7 Insecure Application Programming Interfaces (APIs) [63] 


Ahmed et al.[10] highlighted the risks associated with cloud security, supply chain, and emerging technologies risks. 
Javaheri et al. [13], in their comprehensive study on cybersecurity threats in FinTech, identified well-known types of 
cyberattacks, including Advanced Persistent Threats (APTs), Denial-of-Service (DoS) Attacks, Ransomware Attacks, 
and Malware Infections. Additionally, his study pointed out risks stemming from poor system architecture, such as 
Data Breaches, Weak Authentication Systems, and Internet of Things (IoT) Vulnerabilities. Human-related risks, such 
as Insider Threats and Regulatory Compliance Risks, were also mentioned. Shulha et al.[8], In their study on Banking 
Information Resource Cybersecurity System Modeling, they emphasized the risk of man-in-the-middle attacks, 
highlighting the human factor in cybersecurity. This research also discussed system security risks, including Mobile 
Device and Web Application Security Risks, as well as Phishing Attacks. Malware Infections were again noted as a 
significant threat. Thus, previous studies on cybersecurity in the banking sector have addressed a wide range of risks, 
including various forms of cyberattacks, vulnerabilities in system architecture, and human factors. This study builds 
on the findings of these prior studies, applying them to the Vietnamese context to rank and identify root cause factors 
for focused resolution. 


Drawing upon the insights from the literature review, the research team presents ten potential strategies to mitigate 
and address the identified risks. These strategies, supported by findings from previous studies in related fields, are 
summarized in Table 3. 


Table 3: List of potential strategies 


Strategies References 


SG1 _ Establish a Comprehensive Incident Response Plan [64] 


SG2 ~~ Collaborate with Third-Party Vendors [65] 
SG3 Implement Robust Employee Training Programs [66] 
SG4 —_ Conduct Regular Security Audits and Penetration Testing [67] 
SG5 Implement Encryption Protocols [68] 
SG6 Adopt a Zero-Trust Security Model [69] 
SG7 _ — Enhance Endpoint Security [70] 
SG8 Regularly Update and Patch Systems [71] 
SG9 Enforce Multi-Factor Authentication (MFA) [72] 
SG10 Invest in Advanced Threat Detection Systems [73] 


3. Methodology 

3.1 Research Process 

Building upon this body of research, this study proposes a comprehensive model to investigate cybersecurity risks in 
Vietnam's financial and banking system using the MCDM approach, which encompasses the DELPHI, DEMATEL, 
and COCOSO methods combined with NZN. The research model is illustrated in Fig 1: 


or ewww www eee eee 


STEP 1 
Literature review 
Identify potential cybersecurity risks affecting the financial and banking 
system im Vietnam and propose solutions strategies 


NZN DELPHI 


PHASE 1 
Identify and validate nsk 
STEP 2 Caculate expert's weight 
Expert review and expert weighting 
Experts evaluate the suitability of the nsks, expert weights are used when 
aggregating the responses 


“ee we ew ee 
~ 
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STEP 3 
Assess the level of mutual influence between risks 


¢ 
NZN DEMATEL 


PHASE 2 
STEP 4 Caculate each nsk’s weight and 
Calculate the weight of each risks determine relationship among 
risks 


STEP 5 
Determine cause and effect relationships between factors 
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PHASE 3 
Ranking proposed strategies 
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Fig 1: Research Framework 
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The study comprises three distinct phases. Firstly, potential cybersecurity risks are identified through an extensive 
literature review process. Subsequently, these risks undergo validation for relevance and appropriateness utilizing the 
DELPHI method combined with NZN. This involves synthesizing expert opinions gathered via questionnaires, where 
experts assess the importance and relevance of the identified risks. Notably, the study assigns weights to experts based 
on their years of experience and educational qualifications. This information is converted into NZN numbers, 
aggregated, and crisp values. The weights assigned to experts are utilized throughout all research phases and multiplied 
by each expert's corresponding opinion. Following the compilation of opinions from 30 experts, a threshold value is 
calculated. Risks with assessment values falling below the threshold value are subsequently rejected from further 
consideration. 


In phase 2, experts will assess the level of mutual influence among the accepted risks identified in phase 1. This 
evaluation uses the DEMATEL method combined with the NZN concept. The DEMATEL technique, pioneered by 
Fontela and Gabus in 1976 [74], has effectively addressed complex global issues across scientific, political, and 
economic domains, leveraging expert judgments. This method yields insights into the weight of influence attributed 
to each risk and delineates cause-and-effect relationships among them. Notably, to preserve information integrity, this 
study employs defuzzification after calculating the total influence matrix, ensuring all matrix calculations adhere to 
the NZN format. In phase 3, experts will assess strategies based on their efficacy in mitigating risks. The data will be 
analyzed using the COCOSO method in conjunction with NZN, generating rankings for these strategies. Notably, the 
ranking results will undergo sensitivity and comparative analysis, juxtaposing them with rankings derived from other 
calculation methods, notably TOPSIS and MULTIMOORA, which incorporate the NZN number concept. This 
comprehensive evaluation approach aims to ensure the robustness and reliability of the ranking outcomes. The study 
utilized Microsoft Excel 2016 and SPSS version 26 to analyze the data. Processing the responses from 30 experts, 
encompassing 17 factors and 10 solutions, required an average of 180 minutes per analysis. 


3.2 Neutrosophic Z-number Sets 

Z-number, as proposed by Zadeh [44], comprises an ordered pair of fuzzy numbers (A, C) associated with an uncertain 
variable U, representing the fuzzy value of U (A) and a reliability measure (C) of A. However, this representation 
lacks information regarding the indeterminacy and falsity aspects of Z-numbers. To address this limitation and 
encompass comprehensive information about the truth, indeterminacy, and falsity of Z-numbers, the concept of a NZN 
can be introduced as an extension of the Z-number framework [52]. 

Definition 1 [52] Let X denote a universe set. A NZN set in X is defined using Equation (1): 


N, = {[x, @(A, C)(x), BCA, C) (x), (A, C)(@)] | xeX} (1) 

Where a@(A,C)(x) = (a4(x), acl); BCA, C)(x) = (Ba), Be); VA, CX) = (va), ve): X > [0,1] are 
the order pairs of truth, indeterminacy, and falsity fuzzy values. A signifies neutrosophic values pertaining to the 
universe set X, and C signifies neutrosophic measures of reliability associated with A. These components adhere to 
the specified conditions: 

0 < a,(x) + Ba(x) +s) S 3 and0 < a(x) + Be(x) + yc (x) S$ 3 
For the sake of clarity and convenience, the element [x, a(A, C)(x), B(A, C)(x), y(A, C)(x)] in Nz is succinctly 
represented as Nz = [a (A, C); B(A, C); yA, C)] = [(a@a, ac), (Ba, Bo); Ya Yc], name NZN 
Definition 2 [52,75] Let Nz, = [a,(4,C), Bi (A, C), 14, OC] = [(@ a1, 1), Bar Ber), Wav ¥er)] and Nz2 = 
[a2 (A, C), B2(A, C), ¥2(A, C)] = [(@a2, &c2), (Bar Be2)s Ya2s ¥c2)] be two NZNs and € > 0. Then, we give the 
following relations using Equations (2)-(10): 


1. Nz, 2 Nzz = Gg, 2 Mg2, Mey 2 Ae2, Bar S Baa Ber S Bers Var S Va2 ANd V1 SF Yee (2) 
2..Nz1 = Nz & Nz 2 Nz and Nz 2 Nz (3) 
3. Nz1 U Ney = [(@a1 V G42, Mer V 2), (Bar A Baz Ber A Bea), (Yar A Va2 Ver A Yc2)] (4) 
3..NziO Nz2 = [(@a1 A G42, 1 A M2), (Bar V Baz» Ber V Bez), Yar V Yaa Ver V ¥e2)] (5) 
4. (Nz1)° = [Ya Yer), (1 — Bars 1 — Ber), (@a1, &c1)] (Complement of Nz1) (6) 


5.Nzi ® Nzz = [(@ar + Gaz — M142, Ac1 + Ae2 — Ac1 M2), (Bar Bar Bor Bc2), (Va1Va2¥c1¥c2) | (7) 
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6. Nz1® Nz2 = [(@a1@% a2, %e1%c2), (Bar + Baz — Bar Baa Ber + Bo2 — BerBc2), Var + Ya2 — (8) 

Ya1¥c2 ¥o1 + ¥e2 — Ye1¥c2)] 

7. €Nzy = [A — 1 = @a1)*, 1 — 1 = g1)*), Ban Ber), Wav Ver] (9) 

8. (Nz1)* = [ (@A1 @61), 1 — 1 - Bai)*,1 -— A — Ber) *), A - A = Ya) 1 - A = ¥e1) 9] (10) 
To defuzzy Nz, = [a,(A,C), Bi (A,C),¥1 (A, C)] = [(@41, 1), (Bar Ber), War Yer) ], using Equation (11): 


2+ Qi Ac1 — Bar Ber — Yar Yer 11 
3 for DEF(N7;) € [0, 1] a 


Illustrative example 1: Let two numbers NZN: Nz, = [(0.8,0.8),(0.15,0.15),(0.2,0.2)] and Nz. = 
[(0.6,0.8),(0.35,0.15),(0.4,0.2)], € =0.7, an example of Equations (7) - (11) are shown below: 

Nz ® Nzz = [(0.8,0.8),(0.15,0.15),(0.2,0.2)] @ [(0.6,0.8),(0.35,0.15),(0.4,0.2)] 

= [(0.92,0.96),(0.0525,0.0225),(0.08,0.04)] 


Nz, ® Nzz = [(0.8,0.8),(0.15,0.15),(0.2,0.2)] ® [(0.6,0.8),(0.35,0.15),(0.4,0.2)] 
= [(0.48,0.64),(0.4475,0.2775),(0.52,0.36)] 


DEF (Nz) = 


€Nz, = 0.7 - [(0.8,0.8), (0.15,0.15), (0.2,0.2)] 

= [(0.6759,0.6759),(0.265,0.265),(0.3241,0.3241)] 
(Nz1)© = ({(0.8,0.8), (0.15,0.15), (0.2,0.2)])®” 

= [(0.8554,0,8554),(0.1075,0, 1075),(0.1446,0.1446)] 


2+ 0.8-0.8— 0.15-0.15— 0.2-0.2 
DEF(Nyz,) = a a Se 1 0.8592 
Definition 3 [52]: Two weighted aggregation operators of neutrosophic Z-numbers 
Drawing upon Equation (7) and Equation (9) from Definition 2, we can formulate the weighted aggregation arithmetic 
mean (NZNWAA) equation for NZNs. Let Nz; = [a;(A, C), BCA, C), y;(A, C)] = 
(agi Aci), Bar Boi, Var Ye), G = 1,2,...) be a group of NZN and NZNWAA: 0” — Q. Subsequently, the 
NZNWAA equation is formally defined using Equation (12): 


NZNWAA(N71, Nz2, «+» Nan) => ee €j Ny (12) 


=((1 -— Tr — o4))* QE — @e:)), Ts Bar Te Bee), (Te vai TW Yer] 
where ¢;(i = 1,2..n) is the weight of Nz; withO < ¢; <1and WL, =1 
Likewise, leveraging Equation (8) and Equation (10) from Definition 2, we can derive the weighted aggregation 
geometric mean (NZNWAGM)~ equation for NZNs. Let Nz; =[a;,(4,C),B;(A,C),y;(4,C)] = 
(aj, Aci), Bair Bei), Var Ve, Gi = 1,2,...n) be a group of NZN and NZNWGA: 0” — (0. The NZNWGA 
equation is formally defined using Equation (13): 
NZNWGA (N73, N72, 0) Nen) = isi N2i)* (13) 
= [fer (@ai)*, ies (Ger) 4), (2 — Wf — Baid* 1 — Tf - Bei)*),1 - 
Wi — vag)*6 1 — Tes — ve] 
where ¢;(i = 1,2..n) is the weight of Nz; withO < ¢; < 1and YLj,e,=1 
Illustrative example 2: Assume a set of 4 NZN numbers: {[(0.8,0.8),(0.15,0.15),(0.2,0.2)], 
[(0.6,0.8),(0.35,0.15),(0.4,0.2)], [(0.4,0.8),(0.65,0.15),(0.6,0.2)], [(0.2,0.8),(0.85,0.15),(0.8,0.2)]} with corresponding 
weights ¢; = {0.1, 0.3, 0.4, 0.2}. The agreed results using the NZNWAA (Equation (12)) and NZNWGA (Equation 
(13)) methods are as follows: 


NZNWAA(N 71, Nz2, Nz3, Nza) = [(0.4958,0.8),(0.4919,0.15),(0.5042,0.2)] 
NZNWGA(N7z,, Nz2, Nz3, Nz4) = [(0.4215,0.7999),(0.6112,0.15),(0,5785,0.2001)] 
Definition 4 [59]: Distance and similarity measures of NZN sets 
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In recent years, researchers have increasingly focused on distance and similarity metrics between sets, which serve 
as potent decision-making tools [76]. We can define the distance between two NZN sets and their respective 
weights. Let Nzy = {Nzi1,Nz12 «, Nzin} and Nz2 = {Nz21,Nz22 »-,Nzon}, where Nzix 
[a1 (A, C), Bix (A, ©), V1K (A, C)] = [Cares @c1k), Bark Berk), Ware Yerr)], and Nz2% = 

[24 (A, C), Box (A, C), Vox (A, O)] = [(@a2k &c2K), Bark Bear) Yaak» ¥c2x)] are two NZNs, set 0 = 1 as any 
integer, and the corresponding weights of n pairs of NZN wz = (Wj, W2,.-. Wp), Ur=1 We = 1. Subsequently, the 
generalized distance between Nz, and N7z is calculated using Equation (14):: 


(14) 


0 


n 
1 1 
Dws(Nz1)Nz2) = 2 3). We (lark — Carkl® + [Bark — Bazkl® + lYare — Yarn!) 
kel 


3 Wk (lacie canl9+ |Bork—Beokl® +1¥c1k-Ycok!®) 


When ¥ = 1, the above-generalized distance formula becomes the Hamming distance formula D,,,, using Equation 


(15): 


n 
1 (15) 
Dwi (Nz1,Nz2) = = We(l@ark — Cazkl + [Bare — Bazkl + lark — Ya2el) 
ss rh 


n 


+ >». Wee (l@c1r — cox! + Beir — Bearl + l¥c1r — Yeo!) 
k=1 


When 0 = 2, the above-generalized distance formula becomes the Euclidean distance formula D,,2, using Equation 


(16): 


; j f (16) 
Dw2(Nz1Nz2) = 54 15 D Weare — Carel? + [Bark — Barkl? + lark — Yarn?) 
2 3a 


n 
1 
+ 3), Wee (acre — Erk? + (Bork — Beakl? + lVc1x — Yeon |) 
k=1 


Illustrative example 3: Assume a 2 set of 2 NZN numbers: Nz, = {[(0.8,0.8),(0.15,0.15),(0.2,0.2)], 
[(0.6,0.8),(0.35,0.15),(0.4,0.2)]} Nz. = {[(0.6,0.4), (0.35,0.65), (0.4,0.6)], [(0.2,0.2), (0.85,0.85), (0.8,0.8)]} with 
corresponding weights €; = (0.65, 0.35). The Hamming distance and Euclidean distance between these two NZN 
sets are calculated using Equations (15)-(16) : 


Hamming distance 
DwiWNz1Nz2) = ~{[0.65 -((0.8 — 0.6] + [0.15 — 0.35] + ]0.2 —0.4|) + 0.35 - (|0.6 — 0.2] + 


0.35 — 0.85] + ]0.4 — 0.8] )] + [0.65 - (/0.8 — 0.4] + |0.15 — 0.65] + ]0.2-—0.6|)+ 0.35: 
(|0.8 — 0.2] + |0.15 — 0.85] + ]0.2 — 0.8 | )]} = 0.3925 
Euclidean distance 
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Dy2 Nz Nz) 


1 
a [0.65 - (10.8 — 0.6]7 + |0.15 — 0.35]? + 10.2 — 0.4|7) + 0.35 - (|0.6 — 0.2|* + [0.35 — 0.85|? + 


‘ 
3 0.65 - (0.8 — 0.4]* + [0.15 — 0.65|? + 0.2 — 0.6 |? ) + 0.35 - (0.8 — 0.2|* + 0.15 — 0.85]? + 10.2 


= 0,4093 


3.3 NZN DELPHI Method 
Assume k experts provide assessments for n factors. Each expert evaluates the significance of each factor using a 
linguistic scale, which is then converted to NZN numbers using NZN sets. Additionally, experts are weighted based 
on their education and years of experience. The calculation steps are outlined below: 
Step 1: Calculate the weight of the expert. 
Expert weights will be assessed using NZN numbers, comprising two components: A, representing the degree of 
evaluation based on the expert's experience and education, and C, indicating the degree of certainty based on the 
research team's knowledge about the expert. The two NZN numbers representing the expert rating based on years of 
experience and education will be aggregated using Equation (7) and converted into a crisp score using Equation (11). 
Table 4 outlines the expert-level assessment along with the corresponding linguistic scale [77]. 

Table 4: Expert rating scale 


Education Experience Certainty Linguistic scale Code NZN 
(A) (A) (C) 
Doctor Over 20 years Very high Very high VH (0.8,0.15,0,2) 
Master 10 — 20 years High High H (0.6,0.35,0.4) 
Bachelor 5 — 10 years Medium Medium M (0.4,0.65,0.6) 
Under Bachelor — Under five years Low Low L (0.2,0.85,0.8) 
Very low Very low VL (0,1,1) 


For instance, Expert 1 holds a master's degree and possesses 20 years of professional experience. The authors are 
familiar with this expert, indicating a high level of certainty regarding the assessment (VH). Consequently, the 
weighted assessment based on experience for this expert will be (VH; VH), while based on qualifications, it will be 
(H; VH). These assessments are represented as NZN numbers as follows: [(0.6,0.8),(0.35,0.15),(0.4,0.2)] and 
[(0.8,0.8),(0.15,0.15),(0.2,0.2)] 

Two evaluations in the form of Fuzzy numbers will be combined using Equation (7). The result will be converted to 
the number of crips using Equation (11) into the evaluation value. In the example above, the evaluation value of expert 
one is as follows: 

[(0.6,0.8),(0.35,0.15),(0.4,0.2)] ® [(0.6,0.8),(0.35,0.15),(0.4,0.2)] = [(0.92,0.96),(0.0525,0.0225),(0.08,0.04)] 
Using Equation (11) to converted NZN [(0.92,0.96),(0.0525,0.0225),(0.08,0.04)] to crips score, the results obtained 
is 0,9596 
Calculate the evaluation value for k experts, obtaining k values EK: ek; = {ek , ek, ...ek,}. The weight of expert 
EW: ew; = {ewy, ew, ...ew,} is calculated as Equation (15) below: 

ve ai (17) 
yyja1 eky 
Step 2: Build a weighted expert evaluation matrix 
Experts will engage in evaluating the importance of n factors. Initial evaluation results are presented in linguistic 
form and converted to NZN numbers, forming a matrix ® EM = [em; fleve where n represents the number of 
factors and k denotes the number of experts. The linguistic scale for evaluation and corresponding NZN are depicted 
in Table 5 [77]. 
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Table 5: NZN DELPHI Linguistic important scale 


Important level Code Membership 
a B Y 
Very low VL 0 1 1 
Low L 0.2 0.85 0.8 
Medium M 0.4 0.65 0.6 
High H 0.6 0.35 0.4 
Very high VH 0.8 0.15 0.2 


The weighted expert evaluation matrix ® EMW = [emw; ici is created using Equation (18) below. 


emwjj = em & ew; (18) 


where i = 1,2,...n and j = 1,2,...k; ew; = {ew , eWa, ... eWx} is the expert’s j of weight 


Step 3: Calculate the threshold and validate factors 

Each factor will undergo an assessment by k experts. Employ Equation (12) to synthesize these k assessments, yielding 
aggregated results for n factors in the form of NZN. Subsequently, apply Equation (11) to convert the ratings into crisp 
scores, thereby generating n EV values: ev; = {ev , eV2, ...eV,}. The threshold value is calculated using Equation (19) 


below: 
= dies CY (19) 
n 
If value ev; = 6 then factor i is accepted. If value ev; < 6 then factor i is rejected 
3.4 NZN DEMATEL Model 


Let us assume there are k experts with their corresponding expert weights ew, evaluating the mutual influence of n 
factors. Ratings are initially expressed in linguistic form and subsequently converted to NZN. The rating scale and 
corresponding NZN are presented in Table 6 [77]. 


Table 6: NZN DEMATEL Linguistic influence scale 


Influence level Code Membership 
a B Y 
Equal influence EI 0 1 1 
Week influence WI 0.2 0.85 0.8 
Fair influence FI 0.4 0.65 0.6 
Very influence VI 0.6 0.35 0.4 
Absolute influence Al 0.8 0.15 0.2 


After converting the assessments to NZN numbers, the data will be processed using the DEMATEL method. The 
calculation steps are presented below. 

Step 1: Establishing the direct relationship matrix ® D 

The evaluations of the mutual influence of n factors (where factor i affects factor j) from k experts, denoted as di are 
converted to NZN with their respective expert weights ew,. These evaluations are then consolidated using Equation 


(12), resulting in the direct influence matrix ® D = [® d; Gl basgs while: 
dij = NZNWAA(d},,d3,,...,.dK) = Dk ewdt (20) 


where i = 1,2,...n, f= 1,2,..n,t= 1, 2..k; @djj = (az die Vi (ay iat ) ; (ars die )}. Here, the diagonal 


elements in the matrix are 0, i.e., ®d,;; = 0 (when i =j). 


Step 2: Calculating the normalized direct relationship matrix ® D* 
Matrix ® D = [® d; = re will be normalized into the matrix® D* = [® diy] en using Equation (21) below: 
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dij = (O4,9c).diy = |(Oxd 5 Oc ), (0,484, 0 ate), (a,d¥4,0 .a°)] (21) 
where @ di, _ (azz, a), (a;fs dit"), (a d'v4 ay) 


uy yy? ij’? 
1 1 | (22) 


t= Min ais = oT 
B YA 
d ian dif d. 


j=l ij jai ij 


Lap 1 1 1 
c = MIN) ae? SoBe’? Sn VO 
a ae ya mde far iy 


Step 3: Generating the total influence matrix €)T 

The normalized direct relationship matrix @T is computed into a comprehensive influence matrix. This integration 
encompasses both direct and indirect influence relationships, aggregating them across a spectrum from minimal 
impact to maximal influence, spanning from the power of one to the power of infinity. The procedure is presented 
below: 


@T = [@uj)], §=f=12-.0 (23) 
where @ t;; = [Gr i Cy re) A eh, H5)| 
@T=@D*+ @D*? +---+@ D** ca 


=@T(1+@D*+@D*? +---+@ D*”1) 
= @ D*(I—- @ D*”)U — @ D*)"* =@ D* (I — @ D*) 
where ® T? = [0],xn and J is the identity matrix 
Matrix €9T elements in the form NZN use Equation (11) to convert to crips NZN to create a matrix 69T* = [® tj, ilven 


Step 4: Establishing an INRM to identify the mutual influence of development projects. 


® r is calculated by adding up each column of the total influence matrix @ T*. ® c is calculated by adding up each 
row of the matrix €9T* 


@r= [® Tila = (® 11, @ 712, -.,® Tio ,& ™) (25) 
eee x2 al (26) 
® c= [® Cilixn = (® C1,8 C2, 1 ® Cy 1 ®) ey (27) 
" i = (28) 

[@ Cilien = = >. .2 ti = [@ che 


Note: "superscript T" is the transpose of the matrix 


The index of the strength of influences imparted and received is & 7; + ® c;. The net influence is represented by 
® r; — ® c;. Ahigher @ 7; + ® c; Indicates that criterion i has a greater influence on the evaluation system. Indicator 
i significantly influence others if ® 7; — @ c; > 0 (is positive). Indicator 1 is influenced by other indicators if ® 7; — 
® c; < 0 (is negative) 


The indicator's overall effect on the assessment system is represented by @ 7; + ® c;. Therefore, Equation (29) is 
used to construct an indicator's impact weight. 


(7, +c) (29) 


1-9 G+ a) 


3.5 NZN COCOSO Model 
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Consider k experts tasked with evaluating the impact of n strategies on approaching and resolving m factors. The 
rating scale and corresponding NZN are illustrated in Table 7 [77]: 


Table 7: NZN COCOSO Linguistic important scale 


Important level Code Membership 
a B Y 
Very Poor VP 0 1 1 
Poor P 0.2 0.85 0.8 
Fair F 0.4 0.65 0.6 
Good G 0.6 0.35 0.4 
Very Good VG 0.8 0.15 0.2 


After converting the assessments to NZN numbers, the data will be processed using the COCOSO method. The 
calculation steps are presented below. 

Step 1: Calculated synthesize expert assessment matrix ® F 

The evaluations of the effectiveness of n strategies in resolving m factors by k experts denoted as ef along with their 


corresponding expert weights ew; are synthesized into matrix ® F = [® i ee using Equation (12) is shown 


below. 
fy = NZNWAA(fi} ae eu) = DENw yi 
where i = 1,2,..n, j =1,2,..m,t=1,2..k; @fy = (Cale ca Ge a Ce 4 ie), 


Step 2: Normalized matrix ® F into matrix @ F* 
Matrix @ F = [@ fuilaem will be normalized into the matrix® F* = [® fil, vem USing Equations (30)-(31) below: 


fy = EarFcdosiz = [(Eahys SRNL (Ealf Fohih"). (Eat Sch}°)| (30) 
where @ fii = [CA 55"). (P34 159) 


Say oa) fom. (sf) es * ay (al 
a a 
me) aa) sea) 


Step 3: Calculate the relative importance of each strategy 
The relative importance of the given strategies is computed through the Weighted Sum Method A; and the Weighted 
Product Method Y; using Equation (9) and (10), respectively. The detailed formula is shown in Equations (31)-(32): 


=S fi (31) 


J 
— (32) 
Y= y (7) 
j 


where i = 1,2,..n, j = 1,2,..m, bj = (h1, b2, -- bm) is the weight of factor j 


(31) 
Ea = Min 


éc = Min 


Step 4: Calculate the relative weight of each strategy 
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In this step, three appraisal score C;,, C;;;, C;,;; strategies are employed to determine the relative weights of other 
options, which are derived using the following formulas: 


Calculate Cj, 


Using Equation (7) to sum up A; and Y;, after that, use Equation (11) to convert the result into a crips score. A; and 
W; Also are converted to crips score by using Equation (11). The formula for calculating C;; is presented in Equation 
(33): 


y= PERO) ” 
iY" (DEF (A;) + DEF(Y)) 


Calculate Cj 


Cj; is calculated using Equation (37). Equation (37) uses the formula for dividing two numbers NZN. The formula 
for dividing 2 NZN numbers mentioned by Yazdani et al. [75] is as Equation (34) follows: 


Let Nz; = [a,(4,C), Bi (A, C),v1(A, C)] = [(@41,c1), (Bar Ber), Yar ¥e1)] and Nz2 = 
[a2 (A, C), B2(A, C),¥2(A, C)] = [(@42, G2), Bar» Bea), (Yaz Ve2)] be two NZNs, we have: 


a1 “<t) ( fer) (4 v1) (34) 
"\Ba2’ Boo?’ \Va2' Vez 
Amini and Vin ; 1s determine by using Equation (35)-(36) below [59]: 


Nz © Nzz = ( 


, 
A42 %€2 


Amini = [(min{A/4}, min{Af*}), (max{ Af}, max{af?}), (max{AY4}, max{Ay°}) | oS 
= (AAT), APA), (OO 

Pini = [(min{¥7*}, min{¥7°}), (max{¥P4}, max{wPe}), max{ P74}, max{¥7°}) | (36) 
= [CBP BP), HP, PF), EC 


Apply Equation (34)-(36) to Equation (37), Cj}; is computed as follows: 


Cy, = DEF {0.5 - [(Ai © Amini) B (i © Pmin iI} (37) 
Calculate Cj; 


Equation (38)-(39) is used to determine Ajay; and Ymax ; aS follows [59]: 


Amax i = [(max{Ai*}, max{Af}), (min{A?4}, min{a}), (min{A?4}, min{are}) | (38) 
= [(A74,07°), (APA, AES), (AES AFD 

Baxi = [(max{¥e*}, max{¥"°}), (min{vP4}, min{wPe}), cmin{ PY}, min {87°} | (39) 
= (CEPA, BPS), HPA, HP), HLS PP] 


With 0< @ <1, A; , ¥;, Amax ; and Yinax; IS converted into a crips score by using Equation (11). Apply to Equation 
(40) to calculate C;,;; as below: 
c= SEF (AD) + (1 = o)DEF) (40) 
MU GDEF Amax i) + (1 = @)DEF (Pax) 


@ is usually taken as 0.5 [75]. However, this study will set @ values from 0.1, 0.2, to 0.9 in turn to do sensitive 
analysis. 
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Calculate C; and ranking 


C; is calculated using Equation (41) below and the C; value is used to rank the corresponding strategies. 


1. 
Cy = YC iy Ci Cipy + Cu + Cir + Cis) (41) 
4. Case Study 


4.1 Problem Description 


Cybersecurity risks within the finance and banking sector have become a focal point of research and concern, drawing 
attention not only from financial institutions but also from governmental bodies overseeing management and 
operations, as well as from consumers themselves [78]. According to statistics provided by the Ministry of Information 
and Communications of Vietnam, during the first 11 months of 2023, nearly 16,000 reports of fraudulent activities 
were submitted by Vietnamese Internet users through alert systems. Alarmingly, over 91% of these reports were linked 
to fraud and illicit activities within the banking and financial domain [79]. The prevalence of cybersecurity threats 
poses significant challenges to the integrity, security, and operational efficiency of the banking and financial 
infrastructure. Such risks extend beyond financial institutions, impacting individuals, businesses, and governmental 
entities that rely on these systems for their operations [8]. The ramifications of cybersecurity breaches can result in 
substantial economic losses, making it imperative for all stakeholders to prioritize robust security measures and 
proactive risk management strategies. 


This study aims to analyze cybersecurity risks within Vietnam's finance and banking system, assessing their impact 
and interrelations. It also proposes and prioritizes solutions based on expert evaluations of their efficacy in risk 
mitigation. By identifying, quantifying, and understanding these risks, the study seeks to enhance the resilience and 
security of the financial infrastructure while minimizing potential economic losses and disruptions. Fig 2 illustrates 
the hierarchy of cybersecurity risks impacting Vietnam's financial and banking system for a comprehensive overview. 


19 


SGI 
Establish a Comprehensive Incident Response Plan 


SG2 


Collaborate with Third-Party Vendors 


SG3 


Implement Robust Employee Traming Programs 


SG4 


SG5 


|| CYBERSECURITYRISKs ff Ly pore Sy ee 


AFFECTING VIETNAM'S y U 
FINANCE AND BANKING ' , ‘ SG6 


SYSTEM \ ' ' ' Adopt a Zero-Trust Security Model 


SG7 


seecsccuaeecusesesseeseeeses “‘ ' ‘ Enhance Endpomt Security 


SG8 


Regularly Update and Patch Systems 


Conduct Regular Security Audits and Penetration Testing [iH 


SG9 
Enforce Multi-Factor Authentication (MFA) 


S$G10 


Invest in Advanced Threat Detection Systems 


Fig 2: Hierarchical framework of cybersecurity risks and strategies 
4.2 Expert Selection and Expert Weight 


Thirty experts, selected for their expertise and experience pertinent to the scope of this study, participated in rating the 
importance of those above seventeen potential risks. These experts encompass individuals who serve as educators, 
researchers, and practitioners directly involved in the fields of banking and finance, information security, and financial 
information systems. All experts possess over ten years of experience in the field, with nine experts boasting more 
than 20 years of expertise. Moreover, 93% of the experts hold a Master's degree or higher, with 50% obtaining a 
doctoral degree. As outlined in section 3.2, the weight of each expert is estimated based on their years of experience 
and educational attainment, as shown in Table 4. The profiles of each expert, along with their corresponding weights, 


are detailed in Table 8: 
Table 8: Expert’s profiles and expert weight 
Educatio : . Evaluation 
Expert - Experience Evaluation value (NZN) value (Cript) 
Expert 1 Master Over 20 years [(0.92,0.96),(0.0525,0.0225),(0.08,0.04)] 0.9596 
10-2 
Expert 2 Master : wore pee [(0.84,0.64),(0.1225,0.4225),(0.16,0.36)] 0.8094 


20 


Expert 
Weight 
0.0408 


0.0344 


Expert 3 
Expert 4 
Expert 5 
Expert 6 
Expert 7 
Expert 8 


Expert 9 


Expert 10 
Expert 11 
Expert 12 
Expert 13 
Expert 14 


Expert 15 
Expert 16 
Expert 17 
Expert 18 
Expert 19 
Expert 20 
Expert 21 
Expert 22 
Expert 23 
Expert 24 
Expert 25 
Expert 26 
Expert 27 


Expert 28 


Doctor 


Master 


Master 


Master 


Master 


Master 


Master 


Master 
Master 
Master 
Master 
Master 


Doctor 


Master 


Doctor 


Doctor 


Master 


Master 


Master 


Master 


Doctor 


Master 


Doctor 


Bachelor 


Master 


Master 


From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
Over 20 years 
Over 20 years 
Over 20 years 
Over 20 years 
Over 20 years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 
From 10 - 20 
years 


[(0.92,0.36),(0.0525,0.7225),(0.08,0.64)] 
[(0.84,0),(0.1225,1),(0.16,1)] 
[(0.84,0.36),(0.1225,0.7225),(0.16,0.64)] 
[(0.84,0),(0.1225,1),(0.16,1)] 
[(0.84,0.64),(0.1225,0.4225),(0.16,0.36)] 
[(0.84,0.96),(0.1225,0.0225),(0.16,0.04)] 


[(0.84,0.64),(0.1225,0.4225),(0.16,0.36)] 


[(0.92,0.64),(0.0525,0.4225),(0.08,0.36)] 
[(0.92,0.36),(0.0525,0.7225),(0.08,0.64)] 
[(0.92,0.84),(0.0525,0.1225),(0.08,0.16)] 
[(0.92,0),(0.0525,1),(0.08,1)] 

[(0.92,0.96),(0.0525,0.0225),(0.08,0.04)] 


[(0.92,0),(0.0525,1),(0.08,1)] 
[(0.84,0.84),(0.1225,0.1225),(0.16,0.16)] 
[(0.92,0.96),(0.0525,0.0225),(0.08,0.04)] 
[(0.92,0),(0.0525,1),(0.08, 1)] 
[(0.84,0),(0.1225,1),(0.16,1)] 
[(0.84,0.64),(0.1225,0.4225),(0.16,0.36)] 
[(0.84,0),(0.1225,1),(0.16,1)] 
[(0.84,0.36),(0.1225,0.7225),(0.16,0.64)] 
[(0.92,0.64),(0.0525,0.4225),(0.08,0.36)] 
[(0.84,0.96),(0.1225,0.0225),(0.16,0.04)] 
[(0.92,0.36),(0.0525,0.7225),(0.08,0.64)] 
[(0.76,0.96),(0.2275,0.0225),(0.24,0.04)] 
[(0.84,0.96),(0.1225,0.0225),(0.16,0.04)] 


[(0.84,0),(0.1225,1),(0.16,1)] 
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0.7474 


0.5725 


0.7038 


0.5725 


0.8094 


0.9324 


0.8094 


0.8459 
0.7474 
0.9179 
0.6225 
0.9596 


0.6225 


0.8883 


0.9596 


0.6225 


0.5725 


0.8094 


0.5725 


0.7038 


0.8459 


0.9324 


0.7474 


0.905 


0.9324 


0.5725 


0.0317 


0.0243 


0.0299 


0.0243 


0.0344 


0.0396 


0.0344 


0.0359 
0.0317 
0.039 

0.0264 
0.0408 


0.0264 


0.0377 


0.0408 


0.0264 


0.0243 


0.0344 


0.0243 


0.0299 


0.0359 


0.0396 


0.0317 


0.0384 


0.0396 


0.0243 


Risks 


From 10 - 20 


Expert 29 Doctor [(0.92,0.96),(0.0525,0.0225),(0.08,0.04)] 0.9596 
From 10 -2 

Expert 30 Master —. pone [(0.84,0.84),(0.1225,0.1225),(0.16,0.16)] 0.8883 

Sum evaluation value 23,5443 


0.0408 


0.0377 


4.3 NZN DELPHI Results 


The experts assessed the relevance and importance of each risk to Vietnam's finance and banking system using the 
evaluation scale presented in Table 5. The evaluation results indicate that TH13 - Regulatory Compliance Risks and 
TH15 - Emerging Technologies Risks were rejected. A detailed presentation of the evaluation results for the 17 risks 
is provided in Table 9 below: 


Table 9: NZN DELPHI results 


Risks Aggregate 30 assessment 
THI [(0.6506,0.5646),(0.3 165,0.4176),(0.3494,0.4354)] 
TH2 [(0.604,0.5491),(0.3527,0.4356),(0.396,0.4509)] 
TH3 [(0.535,0.6367),(0.4319,0.3347),(0.465,0.3633)] 
TH4 [(0.6437,0.6093),(0.3119,0.3678),(0.3563,0.3907)] 
THS5 [(0.6486,0.5846),(0.3 112,0.3923),(0.3514,0.4154)] 
TH6 [(0.5876,0.5765),(0.3774,0.4036),(0.4124,0.4235)] 
TH7 [(0.4928,0.6545),(0.4751,0.3106),(0.5072,0.3455)] 
TH8 [(0.5945,0.647),(0.3673,0.3233),(0.4055,0.353)] 
TH9 [(0.6041,0.6527),(0.3526,0.3 136),(0.3959,0.3473)] 
TH10 [(0.5176,0.6601),(0.463 1,0.303 1),(0.4824,0.3399)] 
THI1 [(0.5458,0.664),(0.4233,0.2993),(0.4542,0.336)] 
TH12 [(0.5707,0.6122),(0.3944,0.3618),(0.4293,0.3878)] 
TH13 [(0.4824,0.3313),(0.5106,0.6911),(0.5176,0.6687)] 
TH14 [(0.5137,0.635),(0.4592,0.3385),(0.4863,0.365)] 
THI5 [(0.4889,0.3403),(0.4946,0.696),(0.5111,0.6597)] 
TH16 —[(0.6026,0.5809),(0.3589,0.3921),(0.3974,0.4191)] 
THI17 ~—[(0.5296,0.6446),(0.4373,0.3218),(0.4704,0.3554)] 
Threshold 
4.4 NZN DEMATEL Results 


Crips value 


0.6943 
0.6665 
0.6757 
0.7128 
0.7037 
0.6706 
0.6666 
0.7076 
0.7154 
0.6791 
0.6944 
0.6801 
0.4869 
0.6644 
0.495 

0.6809 
0.6778 
0.663 


Validate 

Accepted 
Accepted 
Accepted 
Accepted 
Accepted 
Accepted 
Accepted 
Accepted 
Accepted 
Accepted 
Accepted 
Accepted 
Rejected 

Accepted 
Rejected 

Accepted 
Accepted 


After the NZN DELPHI phase, fifteen validated risks were included for evaluating their impact weight on the finance 
and banking system in Vietnam, as well as the cause-and-effect relationships between these factors. As outlined in 
section 3.3, experts evaluated pairs of factors to assess how they influence each other using the evaluation scale 
presented in Table 6. The data was processed using the DEMATEL method, presenting the total influence matrix as 
NZN numbers, as depicted in Table 10 below. 


THI 


((0.4177, 
1.1331),( 
0.1372,0. 
079),(0.1 
969,0.10 
92)] 


(0.4387, 
1.2328),( 


Table 10: Total influence matrix 


TH2 TH3 TH4 THS TH6 TH7 THS THO 

((0.4643, [(0.4404, [(0.449,1 (0.4801,  [(0.4853,  [(0.4806,  [(0.4923, _[(0.4468, 
1.1986),(  1.162),(0 —.2074),(0~—-'1.216)0 ~—«:1.1737),( 1.2005), —-:1.2455),(._—_—:1.2299),( 
0.1936,0.  .2033,0.1 -.2035,0.1 .1855,0.1 0.1854,0.  0.1872,0. 0.1767,0. _ 0.2061.0. 
1313),(0.  371),0.2 ~—-318),(0.2 -301),0.2 ~—-1404),(0.—-1297),(0._—:1133),(0. —-1262),(0. 
2572,0.1 701,017) 667,0.16 465,0.16 2450.17 2492,0.1 2383,0.1  2683,0.1 

64)] ] 34)] 14)] 19)] 613)] 461)] 578)] 

((0.382,1  [(0.4059, [(0.4205,  [(0.4631,  [(0.4563,  [(0.4591, —_[(0.4625, _[(0.4248, 
.1916),(O0 _1.2153),(_1.2613),(__-(1.2741),(.__:1.2315),(.__:1.2529),(__1.2809),(__1.2742),( 
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TH10 


[(0.4438, 
1.1895),( 
0.2043,0. 
1293),(0. 
2691,0.1 
622)] 


[(0.4139, 
1.2344),( 


THI1 


[(0.4744, 
1.1974),( 
0.1801,0. 
129),(0.2 
463,0.16 
27)] 


[(0.4384, 
1.2514),( 


TH12 


[(0.4538, 
1.2187),( 
0.1988.0. 
1202),(0. 
265,0.15 
35)] 


[(0.4324, 
1.2609),( 


TH14 


[(0.4701, 

1.2146),( 

0.1912,0. 

12),(0.25 

46,0.155) 
] 


(0.4356, 
1.2619),( 


TH16 


[(0.3658, 
1.1787),( 
0.2553,0. 
124),(0.3 
225,0.15 
88)] 


((0.3539, 
1.216),(0 


THI7 


[(0.3566, 
1.2191),( 
0.2532,0. 
1165),(0. 
3233,0.1 
508)] 


[(0.3464, 
1.2693),( 


TH3 


TH4 


THS 


TH6 


TH7 


TH8 


TH9 


TH10 


THI1 


TH12 


TH14 


TH16 


0.2144,0. 

1268), (0. 

2744,0.1 
596)] 


[(0.5795, 
1.3355),( 
0.1355,0. 
1063),(0. 
1936,0.1 
393)] 


((0.5521, 
1.3645),( 
0.1507,0. 
1027),(0. 
2103,0.1 
356)] 


[(0.4827, 
1.3101),( 
0.1808,0. 
1128),(0. 
2449,0.1 
448)] 


[(0.4772, 
1.3159),( 
0.182,0.1 
091),(0.2 
469,0.14 
17)] 


[(0.4689, 
1.3259),( 
0.1901,0. 
1179),(0. 
2536,0.1 
484)] 


(0.4944, 
1.301),(0 
.1751,0.1 
125),(0.2 
379,0.14 
51] 


((0.5423, 
1.3686),( 
0.1512,0. 
1026),(0. 
2127,0.1 
351)] 


(0.4945, 
1.3402),( 
0.1795,0. 
1086),(0. 
2418,0.1 
41)] 


(0.5524, 
1.3213),( 
0.1474,0. 
1126),(0. 
208,0.14 
55)] 


(0.4528, 
1.3595),( 
0.1969,0. 
0994), (0. 
2623,0.1 
328)] 


[(0.5322, 
1.3915),( 
0.1671,0. 
0942),(0. 
2261,0.1 
277) 


[(0.5508, 
1.391),(0 
.156,0.09 
91),(0.21 


.1553,0.0 

735),(0.2 

145,0.10 
27)] 


[(0.5489, 
1.3468),( 
0.1587,0. 
1082),(0. 
2149,0.1 
406)] 


[(0.5393, 
1.3844),( 
0.1551,0. 
0952),(0. 
2149,0.1 
282)] 


[(0.4617, 
1.3234),( 
0.19810. 
1117),(0. 
2611,0.1 
435)] 


((0.4591, 
1.3267),( 
0.1979,0. 
1112),(0. 
2603,0.1 
431)] 


(0.4615, 
1.3482),( 
0.1916,0. 
1066),(0. 
256,0.13 
85)] 


((0.481,1 
3167),(0 
.1842,0.1 
084),(0.2 
457,0.14 
12)] 


(0.5196, 
1.3818),( 
0.1676,0. 
1025),(0. 
2278,0.1 
348)] 


[(0.4738, 

1.352),(0 

.1965,0.1 

1),(0.256 

4,0.1418) 
] 


[(0.5298, 
1.3419),( 
0.1622,0. 
104),(0.2 
23,0.137 
2)) 


(0.4494, 
1.3673),( 
0.195,0.1 
055),(0.2 
614,0.13 
77)\ 


((0.5212, 
1.4026),( 
0.1697,0. 
0972),(0. 
2289,0.1 
297)] 


[(0.5365, 
1.4081),( 
0.1609,0. 
0951),(0. 


0.23,0.12 

42),(0.29 

4,0.1562) 
] 


((0.4574, 
1.2456),( 
0.118,0.0 
684),(0.1 
745,0.09 
68)] 


[(0.4977, 
1.3366),( 
0.1761,0. 
1077),(0. 
2383,0.1 
399)] 


[(0.4384, 
1.2852),( 
0.2064,0. 
1155),(0. 
2731,0.1 
472)| 


[(0.4268, 
1.2881),( 
0.2151,0. 
1139), (0. 
2812,0.1 
468)] 


[(0.4289, 
1.3092),( 
0.21040. 
1096),(0. 
278,0.14 
2)] 
[(0.4398, 
1.2776),( 
0.2102,0. 
1137),(0. 
2744,0.1 
461)] 


[(0.4869, 
1.3411),( 
0.1808,0. 
1066),(0. 
2437,0.1 
388)] 


((0.4517, 
1.3092),( 
0.2006,0. 
1178),(0. 
2659,0.1 
489)] 


((0.5014, 
1.2991),( 
0.1705,0. 
1125),(0. 
2339,0.1 
45)] 


((0.4119, 
1.3323),( 
0.2208,0. 
1032),(0. 
2896,0.1 
363)] 


[(0.4928, 
1.3589),( 
0.1759,0. 
1045),(0. 
2404,0.1 
362)] 


[(0.4982, 
1.3567),( 
0.1785,0. 
1114),(0. 


0.2236,0. 

12),(0.28 

3,0.1511) 
] 


[(0.5465, 
1.364),(0 
.1502,0.0 
994), (0.2 
087,0.13 
25)] 


[(0.4599, 
1.3249),( 
0.118,0.0 
607),(0.1 
732,0.08 
83)] 


[(0.4529, 
3362),( 
0.2004,0. 
081),(0. 
2636,0.1 
4)] 


[(0.4549, 
3414),( 
0.1943,0. 
054),(0. 
2579,0.1 
377) 


[(0.4347, 
3568),( 
0.2145,0. 
083),(0. 
2768,0.1 
396)] 


[(0.4684, 
3218),( 
0.1904,0. 
135),(0. 
2519,0.1 
456)] 


((0.515,1 
397),(0. 
1632,0.0 
973),(0.2 
241,0.12 
93)] 


[(0.4668, 
3666),( 
0.1957,0. 
043),(0. 
257,0.13 
65)] 


[(0.5199, 
3494),( 
0.1646,0. 
074),(0. 
2242,0.1 
392)] 


[(0.4156, 
379),(0 
228,0.10 
49),(0.28 
96,0.135 
8)] 


[(0.5161, 
1.4151),( 
0.1665,0. 
0948), (0. 
2267,0.1 
271)) 


[(0.5298, 
1.4221),( 
0.1593,0. 
0911),(0. 


0.1894,0. 

1121),(0. 

2496,0.1 
45)] 


[(0.5852, 
1.3694),( 
0.1334,0. 
1028),(0. 
1901,0.1 
349)] 


[(0.5628, 
1.3991),( 
0.1446,0. 
1002),(0. 
2021,0.1 
315)] 


[(0.4259, 
1.2811),( 
0.1311,0. 
0654),(0. 
1897,0.0 
932)] 


[(0.4832, 
1.3459),( 
0.1791,0. 
11),(0.24 
12,0.140 
9)] 


[(0.4829, 
1.3668),( 
0.1762,0. 
1065),(0. 
2392,0.1 
372)] 


[(0.4953, 
1.3384),( 
0.1781,0. 
1032),(0. 
2379,0.1 
36)] 


[(0.5461, 
1.4032),( 
0.15170. 
0988),(0. 
2103,0.1 
311] 


[(0.4979, 
1.3755),( 
0.17780. 
1031),(0. 
2388,0.1 
354)] 


[(0.5449, 
1.3618),( 
0.1609,0. 
102),(0.2 
184,0.13 
43)] 


((0.4731, 
1.3907),( 
0.1752.0. 
0994), (0. 
2415,0.1 
318)] 


[(0.5379, 
1.422),(0 
.1651,0.0 
958),(0.2 
221,0.12 
86)] 


((0.5711, 
1.4298),( 
0.1372,0. 
0918),(0. 


0.2006,0. 

1214),(0. 

2588,0.1 
543)] 


[(0.5946, 
1.3301),( 
0.1285,0. 
1047),(0. 
1847,0.1 
372)] 


[(0.5677, 
1.3584),( 
0.1426,0. 
1012), (0. 
2003,0.1 
341)] 


[(0.4828, 
1.301),(0 
.1876,0.1 
152),(0.2 
484,0.14 
68)] 


[(0.4257, 
1.2436),( 
0.1314,0. 
0686),(0. 
1894,0.0 
973)] 


[(0.4756, 
1.3194),( 
0.1892,0. 
1176),(0. 
2498,0.1 

478) 


((0.514,1 
.2974),(0 


[(0.5546, 
1.363),(0 
.1467,0.0 
996),(0.2 
056,0.13 
3)] 


{(0.5011, 
1.3299),( 
0.1795,0. 
1129),(0. 
2388,0.1 
44)] 


[(0.5603, 
1.3202),( 
0.147,0.1 
058),(0.2 
059,0.13 
94)] 


[(0.4637, 
1.3453),( 
0.192,0.1 
072),(0.2 
537,0.13 
96)] 


[(0.552,1 

3814),(0 

.1531,0.0 

97),(0.21 

15,0.130 
2)] 


[(0.5679, 
1.3774),( 
0.1458,0. 
1063),(0. 


0.1941,0. 

1179), (0. 

256,0.15) 
] 


[(0.5848, 
1.3485),( 
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The results presented in Table 10 were processed using Equation (12). Subsequently, Equations (25)-(29) were applied 
to calculate the values of ® r, ® c, Mr +@ c, ® r —® c, and the corresponding risk weights. The research findings 
indicate that eight risks were classified into the cause group, exhibiting positive ® r —® c values: TH3, TH4, TH9, 
TH10, TH11, TH14, TH16, and TH17. Conversely, the remaining seven risks were categorized into the effect group, 
namely THI, TH2, TH5, TH6, TH7, TH8, and TH12. The weights and impact ratings of these risks are detailed in 
Table 11: 


Table 11: NZN DEMATEL results 


Risks ®r ®c ®Qr+Qc Weight ®Qr-Wec Relationship Rank 
THI 12.3593 13.1063 25.4656 0.0655 -0.747 Effect 14 
TH2 12.302 13.0377 25.3397 0.06518 -0.7357 Effect 15 
TH3 13.423 12.6886 26.1116 0.06716 0.7344 Cause 5 
TH4 13.3709 12.9724 26.3433 0.06776 0.3985 Cause 2 
THS 12.6817 13.2686 25.9503 0.06675 -0.5869 Effect 7 
TH6 12.6727 13.1657 25.8384 0.06646 -0.493 Effect 9 
TH7 12.6896 13.2284 25.918 0.06666 -0.5388 Effect 8 
TH8 12.7494 13.3616 26.111 0.06716 -0.6122 Effect 6 
TH 13.2644 «13.0362 26.3006  —:0.06765 0.2282 Cause 3 
TH10 12.8755 12.8446 25.7201 0.06615 0.0309 Cause 11 
THI 13.212 13.0372 26.2492 0.06752 0.1748 Cause 4 
TH12 12.6505 12.9928 25.6433 0.06596 -0.3423 Effect 10) 
THI14 13.3234 13.129 26.4524 —-0.06804 0.1944 Cause 1 
TH16 13.4714 12.2788 25.7502 0.06623 1.1926 Cause 10 
THI17 13.3475 12.2454 25.5929 0.06583 1.1021 Cause 13 


Table 11 reveals that TH16 - Internet of Things (IoT) Vulnerabilities and TH17 - Insecure Application Programming 
Interfaces (APIs) exhibit the greatest net influence, indicating their substantial causal impact. TH16 - Internet of 
Things (IoT) Vulnerabilities, particularly highlighted by Javaheri et al. [13], emphasize significant risks related to IoT, 
potentially leading to Dos attacks or malware intrusion. Vulnerable IoT devices within banking infrastructure can be 
exploited, compromising sensitive financial data or launching cyberattacks. While enhancing convenience, the 
proliferation of IoT devices also escalates cybersecurity threats as cybercriminals exploit device connectivity for 
attacks [80]. However, safeguarding IoT devices requires frequent and resource-intensive updates. TH17 - Insecure 
Application Programming Interfaces (APIs) ranks second in terms of their net impact value. Vulnerabilities within 
APIs connecting different banking systems pose significant risks, allowing cybercriminals to exploit security 
weaknesses to gain unauthorized access to sensitive data or manipulate transactions [81]. Weaknesses in API security 
protocols may enable interception of critical data transmitted between banking systems, including customer account 
information and transaction details. Cybercriminals can manipulate API endpoints to execute unauthorized 
transactions or tamper with data within banking systems. As highlighted by previous research by Al-Rumaim and 
Pawar [63], these vulnerabilities contribute to an increased risk of cyber-attacks and compromise the system's integrity. 
Considering the top 5 risks with the highest influence weight, as presented in Table 11, these findings indicate that 
TH14 - Malware Infections is the cybersecurity risk exerting the most significant impact on Vietnam's banking and 
financial system. This outcome aligns with the study of Shulha et al. [8] and Javaheri et al.[13], highlighting the 
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substantial impact of malware infections on the efficiency of information technology systems and banking operations. 
Indeed, malware poses a grave threat to the integrity of banking systems, potentially resulting in unauthorized 
transactions, data breaches, and disruptions to banking services. Javaheri et al. [13] have mentioned that the financial 
services sector accounted for 19% of total malware attacks and incurred approximately $18.3 billion in losses in 2017 
alone, making it the primary target of malware perpetrators. Ranked in second place is TH4 - Supply Chain 
Vulnerabilities. Previous research by Ahmed et al. [10] also highlighted Supply Chain Vulnerabilities as one of the top 
risks affecting the banking system. Undoubtedly, vulnerabilities in the security protocols of third-party vendors can 
be exploited, resulting in unauthorized access to financial systems and sensitive data [82]. The financial system's 
integrity is jeopardized when third-party hardware, servers, or transmission line providers suffer from issues such as 
aging infrastructure, subpar quality, lack of synchronization, or inadequate security measures. Consequently, any 
cyber-attacks targeting third-party devices, services, and systems can swiftly impact the financial and banking system. 
TH9 - Insider Threats is assessed to have the third-highest level of influence on Vietnam's financial and banking 
system. According to Javaheri et al. [13], human-related risks or insider attacks are prevalent cybersecurity concerns 
affecting the financial system. With a 47% increase in just two years, insider cybersecurity threats are evidently 
becoming a progressively serious issue for financial and credit institutions [83]. This risk entails employees or 
individuals with privileged access posing a threat by intentionally or unintentionally causing harm. Insider threats 
entail the risk of data theft, fraud, or sabotage by individuals with access to sensitive financial information. This results 
in significant economic damage and undermines customer trust in the financial system, impacting its integrity. Ranked 
fourth is TH11 - Weak Authentication Systems, which highlights security and authentication policies within the system. 
Inadequate authentication methods can make accessing customers' accounts and sensitive financial information easier 
for cybercriminals. A weak authentication system heightens the risk of unauthorized access, particularly in the age of 
advanced artificial intelligence technologies capable of mimicking biological characteristics. Javaheri et al. [13] also 
emphasize authentication as a critical area for addressing cybersecurity risks. Ranked fifth among the top five risks 
with the highest influence is TH3 - Mobile Device and Web Application Security Risks. Shulha et al. [8] have 
mentioned the significant impact of attacks on vulnerabilities in web application systems on banking information 
security. Mobile banking and web application vulnerabilities can be exploited to steal users' credentials and conduct 
fraudulent transactions. Data from security firm Kaspersky in July 2023 reveals that 17,847,857 malicious emails were 
blocked by Kaspersky's Anti-Phishing system in 2022, with 1,569,005 attacks targeting businesses and 16,278,852 
targeting consumers in Vietnam, especially on mobile devices [84]. Consequently, vulnerabilities in mobile and web 
applications pose a growing risk that profoundly impacts the security of the financial and banking system and users in 
Vietnam. 


Considering the cause-and-effect relationship between risks, Fig 3 below is an influential network relation map 
(INRM) that illustrates the relationship between factors. In the INRM, the arrow symbol denotes the direction of 
interaction between risks. Only relationships with an influence value exceeding the average value are depicted by 
arrows in the total influence matrix. By taking the value ® r —® c = 0 as the horizontal axis and the average value 
of the most significant weight value and the smallest weight value as the secondary vertical axis, we can delineate 
four risk groups across four quadrants, as shown: Quadrant I comprises risks belonging to the cause group with strong 
influence, namely TH14, TH4, TH9, TH11, and TH3. Quadrant II includes cause group factors with a lower influence 
compared to those in Quadrant I, consisting of TH16, TH10, and TH17. However, the net influence value of these two 
risks TH16 and TH17 is the largest, so it is very noteworthy. Quadrant IV encompasses risks belonging to the effect 
group with significant influence, including TH8, TH7, and THS. The remaining risks, including TH6, TH12, TH1, and 
TH2, are categorized as effect group factors with low influence. 


25 


i SS 
Ws 


\X Si 
: LEK 
05 aK 
FAN 
° IME =e =r 
05 i 
a : 


Fig 3: Influential network relation map (INRM) 


As outlined earlier, the five risks identified in the first quadrant exert the most significant influence. These risks are 
inherent to the cause group and carry substantial weight, making them pivotal factors that must be addressed to 
mitigate threats to the Vietnamese financial and banking system. Malware infections (TH14), for instance, serve as 
underlying causes contributing to various risks such as data breaches (TH7), where spyware is utilized to acquire 
sensitive information illicitly; ransomware attacks (TH6), wherein malware encrypts data and demands ransom for its 
release, and phishing attacks (TH8), where malware facilitates external actors in phishing users within internal systems 
and also increases cloud security risk (TH1) because malware can affect and penetrate the cloud system [13,85,86]. 
Moreover, malware possesses the capability to compromise authentication systems (TH11) through destructive or 
deceptive means and serves as a tool for man-in-the-middle attacks (TH12), thus exacerbating the threat landscape 
[13,86]. Malware infections emerge as fundamental causes that significantly impact a majority of the identified risks, 
underscoring the critical importance of addressing them to enhance the resilience and integrity of the financial system. 
Malware represents an external risk agent compromising system integrity, while TH11 - Weak Authentication Systems, 
constitutes an internal risk factor within the system. Ranked fourth in weight among the cause group, weak 
authentication systems significantly influence multiple risks. They heighten the system's vulnerability to penetration, 
particularly concerning biometric data vulnerabilities (TH10), given the advancements in AI spoofing technology [87]. 
Additionally, weak authentication systems amplify threats posed by TH1, TH6, TH7, and TH8, akin to malware 
infections. Consequently, inadequate security and authentication systems elevate susceptibility to external threats, 
jeopardizing system security and integrity. TH4 - Supply Chain Vulnerabilities emerge as another significant risk 
factor contributing to numerous other risks. Research findings underscore its position as the second most influential 
risk within the cause group. Weaknesses in third-party systems render the entire infrastructure susceptible to attacks, 
fostering risks associated with data compromise (TH7, TH1), phishing (TH8), and even amplifying the threat of Dos 
attacks (TH5) due to system vulnerabilities. Inadequate security measures and authentication within third-party 
devices and services exacerbate risks such as TH3, TH10, and TH11, thereby increasing the likelihood of cyber attacks 
originating from these vulnerabilities [88]. TH9 - Insider Threats present another internal risk factor from the parties 
operating within the system. Unlike external threats, Insider threats entail risks from within the organization itself. 
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SG1 


SG2 


SG3 


Employees falling victim to phishing attacks (TH8), divulging confidential data (TH7), engaging in espionage 
activities, system disruption (TH12), or installing malicious software (TH14) are plausible scenarios [89]. Furthermore, 
insiders' inadvertent or deliberate disclosure of authentication and security-related information (TH10, 11) further 
heightens systemic risks. Internal threats significantly impact the banking and financial system, providing external 
actors with more favorable conditions to exploit vulnerabilities and undermine system integrity [13]. TH3 - Mobile 
Device and Web Application Security Risks rank as the fifth most weighted cause among the identified risks. Elevated 
Mobile Device and Web Application Security risks heighten the system's vulnerability to infiltration from these 
devices, exposing it to a range of risks outlined by TH1, TH5, TH6, TH7, TH8, and TH9. Weaknesses in system 
structure, alongside inadequate authentication systems, contribute to the prevalence of attacks targeting mobile devices 
and websites [90]. This common risk serves as a precursor to numerous other risks listed, emphasizing its critical role 
in the system's security landscape. As highlighted earlier, TH16 and TH17 exhibit the largest net influence value 
despite falling within quadrant II. According to Javaheri [13], loT Vulnerabilities catalyze risks such as DOS attacks 
(THS) and susceptibility to malware (TH14), leading to system vulnerabilities. Cyber attackers can exploit IoT 
vulnerabilities to compromise data security (TH7) or disrupt cloud systems (TH1). Moreover, heightened IoT risks 
exacerbate the likelihood of cyber attacks, impacting the overall system safety and integrity (THS5, 6, 8, 12) [91]. 
Given its wide-reaching implications, proactive measures against IoT vulnerabilities are imperative. TH17 - Insecure 
Application Programming Interfaces (APIs) are a significant net impact value risk. Vulnerabilities in APIs can be 
exploited to bypass authentication mechanisms or inject malicious code into the system (TH14), facilitating 
unauthorized access and fraudulent activities. Similar to IoT vulnerabilities, API-related risks are connectivity-related, 
increasing the likelihood of cyber attacks such as TH5, 6, 8, and 12 while also heightening risks associated with data 
security and cloud systems (TH 1, 7) [63]. These vulnerabilities underscore the importance of addressing API security 
to mitigate broader cybersecurity threats. As elucidated above, risks within quadrants III and IV, attributed to the effect 
group, predominantly arise or escalate in likelihood due to the influence of risks originating from the cause group. 
TH8, TH5, TH7, TH9, TH6, TH1, TH2, and TH12 represent common cyber attack vectors orchestrated by external 
actors. These risks become more pronounced when the system experiences vulnerabilities from internal disruptions, 
weak authentication processes, or malware-induced compromises to security and system integrity. Factors within this 
effect group significantly influence the financial and banking system, exemplified by TH8, TH7, and TH5, ranked 
sixth, seventh, and eighth in impact weights, respectively. All 15 risks above carry notable implications for the 
Vietnamese financial and banking system, underscoring the imperative to devise comprehensive solutions to mitigate 
these risks. Priority should be accorded to addressing causes within the cause group, given their propensity to catalyze 
and exacerbate numerous other risks across the system. 


4.5 NZN COCOSO Results 


Experts will assess the ten proposed strategies to determine their effectiveness in minimizing and mitigating risks. 
Experts will evaluate these strategies using the scale provided in Table 6. The combined evaluation results from 30 
experts, standardized according to Equation (28)-(29), are presented in Table 12: 


Table 12: Normalized assessment matrix 
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The data in Table 13 is processed using Equation (30)-(41) to calculate the results A;, ;, and C;,, C;,;, C;;;, along 
with the ranking order of the strategies. The results are presented in Table 13 below: 


Table 13: NZN COCOSO Results 


Strategies 


SG1 
SG2 
SG3 
SG4 
SG5 
SG6 
SG7 
SG8 
SG9 


SG10 


Max 
Min 


Aj 
0.6596 
0.6686 
0.6702 
0.6665 
0.6662 
0.6643 

0.666 
0.6643 
0.6681 

0.671 
0.6718 
0.6596 


¥i 
0.6588 
0.6683 
0.6697 
0.666 
0.6659 
0.6639 
0.6656 
0.6639 
0.6678 
0.6705 
0.6715 
0.6588 


A, +¥, 
0.7198 
0.7299 
0.7315 
0.7272 
0.7271 
0.7248 
0.7267 
0.7251 
0.729 
0.7324 
0.7324 
0.7198 


Cy 
0.099 
0.1004 
0.1006 
0.1 
0.1 
0.0996 
0.0999 
0.0997 
0.1002 
0.1007 


Ci 
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0.4202 
0.4363 
0.4064 
0.4020 
0.3866 
0.4025 
0.3831 
0.4237 
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Cun 
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0.9917 
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0.9913 
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C 
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0.8395 
0.82604 
0.85435 
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The ranking results of 10 strategies using the NZN COCOSO method are as__ follows: 
SG10>SG3>SG9>SG2>SG4>SG5>SG7>SG6>SG8>SG1. Thus, SG10, SG3, and SG9 are the top 3 strategies rated 
best in facing Vietnam's financial and banking system risks. SG1O - Investing in Advanced Threat Detection Systems 
is crucial for addressing essential banking and financial sector cybersecurity risks. Enhancing the system contributes 
significantly to the early detection of security vulnerabilities and system flaws, enabling prompt repairs and 
remediation actions [92,93]. This proactive approach reduces the susceptibility to various types of cyber attacks, 
mitigating the risk of system infiltration and thereby diminishing risks such as TH3, TH5, TH6, TH7, TH8, TH12, 
TH16, and TH17. Upgrading threat detection systems enables swift identification of malicious codes and programs 
(TH14) attempting to breach the system, as well as vulnerabilities in security protocols (TH10, 11), and errors 
stemming from hardware, connections, or third-party involvements (TH4, TH16) [94]. A proactive defensive strategy 
entails early risk detection and mitigation, offering a comprehensive approach to addressing the abovementioned 
spectrum of risks [73]. Financial institutions strategically deploying such solutions fortify their defenses against 
emerging threats, enhancing overall resilience to cybersecurity challenges. SG3 - Implementing Robust Employee 
Training Programs emerges as the second-highest-rated strategy among the top three. This strategy focuses on 
enhancing employee competencies and cultivating a vigilant stance toward mitigating cybersecurity risks [66]. Its 
primary objective is to minimize insider threats by fostering employee awareness of cybersecurity indicators, thereby 
reducing both inadvertent incidents and intentional violations. By bolstering employee awareness, the likelihood of 
falling victim to external cyber-attacks such as Phishing (TH8) or Malware (TH14) diminishes as employees become 
more discerning with emails and suspicious links while also promptly reporting any anomalies to IT personnel [95]. 
Risks associated with TH1, TH5, TH6, TH11, TH12, TH16, and TH17 are likewise mitigated as employees augment 
their skills and assume greater responsibility in averting cybersecurity threats. Implementing robust employee training 
programs not only fortifies the organization against internal vulnerabilities but also creates a culture of cybersecurity 
consciousness that permeates throughout the institution, thus enhancing overall resilience to cybersecurity risks [96]. 
SG9 - Enforcing Multi-Factor Authentication (MFA) is recognized as the third-best strategy among the ten 
recommended approaches. This strategy directly addresses the risk posed by TH11 - Weak Authentication Systems. 
Implementing MFA fortifies the authentication system with advanced and precise authentication measures, thereby 
mitigating TH10 - Biometric Data Vulnerabilities risk and enhancing detection and prevention capabilities (Kebande 
et al., 2021). Adopting MFA enhances the protection of websites and applications (TH3) and reduces the risk of 
intrusion resulting from third-party errors (TH4). Consequently, the overall risk stemming from external attacks is 
diminished, lowering the likelihood of data breaches and cloud security vulnerabilities (TH1, TH7) [87]. This 
proactive solution strengthens system defenses, upgrades authentication protocols, and minimizes unauthorized access 
from external entities [72]. Therefore, these three strategies have effectively addressed and mitigated most of the risks 
outlined earlier. Primarily defensive, they involve upgrading defense systems to proactively detect threats early on 
while fortifying and minimizing internal threats within the organization. 


4.6 Sensitive analysis 


To assess the robustness of the ranking results obtained through the NZN COCOSO method, a sensitivity analysis was 
performed by varying the w value from 0.1 to 0.9. This procedure serves to mitigate potential human judgmental 
biases that could influence decision outcomes [98]. Table 14 below presents the value of C;. Under different w values. 


Table 14: C; under different w values 


wo 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 
SG1 0.78989 0.78989 ~—s-0.78993 0.78998 =: 0.79002 ~—s-:0.79002 =: 0.79006 = 0.79011 ~—: 0.79015 
SG2 0.85283 0.85283 0.85283 0.85283 -—-0.85283 (0.85283 0.85283 0.85283 =: 0.85283 
SG3 0.86383 «0.86387 ~=—-0.86387 ~—s- 0.86387 =: 0.86392 =: 0.86392 =: 0.86392 =—s-:0.86396 =: 0.86396 
C; SG4 0.84227 0.84231 0.84231 0.84231 0.84236 0.84236 0.84236 0.8424 0.8424 
SG5 0.83951 — (0.83951 =—s-0.83951 —s-0.83951 =: 0.83951 =—s:0.83951 =: 0.83951 =—s:0.83951 0.83951 
SG6 = 0.82804 ~=—-:0.82804 ~=—s:0.82804_ =: 0.82804 =: 0.82808 ~=—-:0.82808 )~=—s-: 0.82808 ~=—:0.82808 =: 0.82808 
SG7 0.83945 0.83945 ~—- 0.8395 0.8395 0.8395 0.8395 0.8395 0.8395 0.83954 
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SG8 0.826 0.826 0.826 0.826 0.82604 0.82604 0.82604 0.82604 0.82604 
SG9 0.85435. 0.85435 (0.85435 0.85435 (0.85435 0.85435 0.85435 0.85435 (0.85435 
SG10 0.86999 =—-0.87003—s-0.87003—- 0.87003. =: 0.87008 ~=0.87008 ~=—0.87008 ~=—: 0.87008 ~=—:0.87012 


The ranking order of strategies based on the C; value is displayed in Fig 4 below. Across varying values of w from 
0.1 to 0.8, the ranking order of the ten strategies remains consistent. However, with @ set at 0.9, the ranking order of 
SGS5 and SG7 shifts, while the positions of the remaining eight strategies remain unchanged. Notably, the top 5 ranking 
order remains consistent across different @ values, with SG10 consistently rated as the highest-ranking strategy. This 
underscores the reliability and certainty of the ranking results. 
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Fig 4: Sensitive analysis results 
4.7 Comparative analysis 


A comparative analysis assessed the accuracy and reliability of the ranking results obtained through the NZN 
COCOSO method [99]. This analysis involved comparing the rankings generated by two other methods: NZN TOPSIS 
and NZN MOORA. Figure 5 below presents the results of ranking the ten strategies using all three methods, allowing 
for a comprehensive comparison of their outcomes. 
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Fig 5: Comparative results 


Fig 4 illustrates the ranking outcomes from the three methods, consistently positioning strategies SG10 at the top and 
SG3 in the third position. Notably, SG10, SG3, SG2, and SG9 consistently rank among the top four strategies across 
all three methods. Table 15 below presents the results of the correlation analysis conducted among the ranking orders 
derived from the three methods, providing further insights into the alignment and consistency of the rankings. 


Table 15: Pearson correlation analysis 


NZN 
NZN COCOSO NZN TOPSIS MULTIMOORA 
Pearson Correlation 1 .939** .I88** 
NZN COCOSO : . 
Sig. (2-tailed) 0 0 
Pearson Correlation .939** 1 952** 
NZN TOPSIS : f 
Sig. (2-tailed) 0 0 
NZN Pearson Correlation 988 ** .952** 1 
MULTIMOORA Sig. (2-tailed) 0 0 


** Correlation is significant at the 0.01 level (2-tailed). 


The results of the Pearson correlation analysis indicate that the correlation coefficient between pairs of ratings exceeds 
0.6, and the Sig value is less than 0.05, as indicated in Table 15. These findings suggest a strong positive correlation 
among the sets of rating results [100]. Combined with the earlier comments regarding the ranking orders, it becomes 
evident that the ranking results derived from the NZN COCOSO method are reliable and consistent. 


5. Conclusion 


Theoretically, this study integrates NS theory with Z-number theory to enhance the reliability and accuracy of data 
analysis while capturing the level of certainty among respondents. By employing this innovative approach, the data 
reflects higher accuracy, leading to more precise results. The proposed method combines NZN and Z-number theories 
with MCDM methods such as DELPHI, COCOSO, TOPSIS, and MULTIMOORA to elevate the accuracy of data 
analysis. In practical terms, this research reveals 15 cybersecurity risks impacting Vietnam's financial and banking 
system, with Malware Infections and Supply Chain Vulnerabilities emerging as the most influential risks. These two 
risks serve as two of the seven root cause factors significantly affecting other risks and the overall security and integrity 
of Vietnam's banking system. Investing in Advanced Threat Detection Systems is the highest-rated strategy for 
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mitigating these risks. This strategy is particularly beneficial as it directly addresses the root causes of many 
cybersecurity threats, enhancing the overall security and resilience of Vietnam's financial and banking infrastructure. 
Implementing advanced threat detection systems can prevent malware infections and mitigate supply chain 
vulnerabilities, ensuring a more secure financial environment. The proposed strategies offer significant benefits for 
Vietnam's financial and banking system. Advanced threat detection systems enable proactive identification and 
neutralization of threats, safeguarding sensitive data and building consumer and stakeholder trust. By addressing root 
causes, these strategies enhance the resilience and adaptability of the cybersecurity framework. The implications for 
Vietnam are substantial. Strengthened cybersecurity will protect financial transactions and data, support economic 
stability, and maintain investor confidence. Furthermore, these strategies can serve as a model for other developing 
countries facing similar cybersecurity challenges, promoting a more secure and stable financial environment globally. 
This study demonstrates the value of integrating advanced analytical methods to identify and manage cybersecurity 
risks, providing actionable strategies to safeguard Vietnam's financial and banking system and support its economic 
growth. 


However, the study has some limitations. Although the sample size exceeds the standard of 10-14 responses, increasing 
it further would enhance the study's accuracy. Additionally, the scope is limited to Vietnam, making the findings not 
globally applicable. In the comparative analysis, only TOPSIS and MULTIMOORA were used, omitting other ranking 
methods. Future research should integrate the NZN model with other ranking methods such as VIKOR, EDAS, 
COPRAS, and MCDM. Expanding the scope beyond a single country and improving the quality of the expert panel 
will also be objectives to increase the study's accuracy and reliability. 
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